[strongSwan] charon and pluto unresponsive after stress testing with ipsec up and ipsec down in a loop

anand rao anandrao_me at yahoo.co.in
Thu Apr 14 16:34:18 CEST 2011 

Hi,

    I am using strongswan 4.3.6. I have configured two peers to establish tunnel 

in transport mode.
from one peer I am running a script in a loop in which i am doing
ipsec up example
sleep 5
ipsec down example
sleep 5

For some time tunnel up/down happening successfully.
After a while I am getting below errors.

Here is the log for charon

initiating IKE_SA example[67] to 10.1.161.165
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.1.161.188[500] to 10.1.161.165[500]
received packet: from 10.1.161.165[500] to 10.1.161.188[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) 
]
authentication of '10.1.161.188' (myself) with pre-shared key
establishing CHILD_SA example
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA 
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.1.161.188[4500] to 10.1.161.165[4500]
received packet: from 10.1.161.165[4500] to 10.1.161.188[4500]
parsed IKE_AUTH response 1 [ IDr AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) 
N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
authentication of '10.1.161.165' with pre-shared key successful
IKE_SA example[67] established between 
10.1.161.188[10.1.161.188]...10.1.161.165[10.1.161.165]
scheduling reauthentication in 3295s
maximum IKE_SA lifetime 3475s
deleting IKE_SA example[67] between 
10.1.161.188[10.1.161.188]...10.1.161.165[10.1.161.165]
sending DELETE for IKE_SA example[67]
generating INFORMATIONAL request 2 [ D ]
sending packet: from 10.1.161.188[4500] to 10.1.161.165[4500]
received packet: from 10.1.161.165[4500] to 10.1.161.188[4500]
parsed INFORMATIONAL response 2 [ ]
IKE_SA deleted
initiating IKE_SA example[68] to 10.1.161.165
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.1.161.188[500] to 10.1.161.165[500]
received packet: from 10.1.161.165[500] to 10.1.161.188[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) 
]
authentication of '10.1.161.188' (myself) with pre-shared key
establishing CHILD_SA example
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA 
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.1.161.188[4500] to 10.1.161.165[4500]
retransmit 1 of request with message ID 1
sending packet: from 10.1.161.188[4500] to 10.1.161.165[4500]
received packet: from 10.1.161.165[500] to 10.1.161.188[500]
MAC verification failed
verifying encryption payload integrity failed
could not decrypt payloads
IKE_AUTH response with message ID 1 processing failed
retransmit 2 of request with message ID 1
sending packet: from 10.1.161.188[4500] to 10.1.161.165[4500]
received packet: from 10.1.161.165[500] to 10.1.161.188[500]
MAC verification failed
verifying encryption payload integrity failed
could not decrypt payloads
IKE_AUTH response with message ID 1 processing failed
retransmit 3 of request with message ID 1
sending packet: from 10.1.161.188[4500] to 10.1.161.165[4500]
received packet: from 10.1.161.165[500] to 10.1.161.188[500]
MAC verification failed
verifying encryption payload integrity failed
could not decrypt payloads
IKE_AUTH response with message ID 1 processing failed
retransmit 4 of request with message ID 1
sending packet: from 10.1.161.188[4500] to 10.1.161.165[4500]
retransmit 5 of request with message ID 1
sending packet: from 10.1.161.188[4500] to 10.1.161.165[4500]


The same behavior observed with pluto also.

The log for pluto is as follows

002 "example" #133: initiating Main Mode
102 "example" #133: STATE_MAIN_I1: initiate
003 "example" #133: ignoring Vendor ID payload 
[00000000616d69654578697374730000]
003 "example" #133: received Vendor ID payload [XAUTH]
003 "example" #133: received Vendor ID payload [Dead Peer Detection]
104 "example" #133: STATE_MAIN_I2: sent MI2, expecting MR2
106 "example" #133: STATE_MAIN_I3: sent MI3, expecting MR3
002 "example" #133: Peer ID is ID_IPV4_ADDR: '10.1.161.165'
002 "example" #133: ISAKMP SA established
004 "example" #133: STATE_MAIN_I4: ISAKMP SA established
002 "example" #134: initiating Quick Mode PSK+ENCRYPT+UP {using isakmp#133}
110 "example" #134: STATE_QUICK_I1: initiate
002 "example" #134: Dead Peer Detection (RFC 3706) enabled
002 "example" #134: sent QI2, IPsec SA established {ESP=>0x6d58a336 <0xc4d27afa}
004 "example" #134: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0x6d58a336 <0xc4d27afa}
002 "example": terminating SAs using this connection
002 "example" #134: deleting state (STATE_QUICK_I2)
002 "example" #133: deleting state (STATE_MAIN_I4)
002 "example" #135: initiating Main Mode
102 "example" #135: STATE_MAIN_I1: initiate
003 "example" #135: ignoring Vendor ID payload 
[00000000616d69654578697374730000]
003 "example" #135: received Vendor ID payload [XAUTH]
003 "example" #135: received Vendor ID payload [Dead Peer Detection]
104 "example" #135: STATE_MAIN_I2: sent MI2, expecting MR2
106 "example" #135: STATE_MAIN_I3: sent MI3, expecting MR3
002 "example" #135: Peer ID is ID_IPV4_ADDR: '10.1.161.165'
002 "example" #135: ISAKMP SA established
004 "example" #135: STATE_MAIN_I4: ISAKMP SA established
002 "example" #136: initiating Quick Mode PSK+ENCRYPT+UP {using isakmp#135}
110 "example" #136: STATE_QUICK_I1: initiate
010 "example" #136: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "example" #136: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "example" #136: max number of retransmissions (2) reached STATE_QUICK_I1.  
No acceptable response to our first Quick Mode message: perhaps peer likes no 
proposal
002 "example": terminating SAs using this connection
002 "example" #135: deleting state (STATE_MAIN_I4)
002 "example" #137: initiating Main Mode
102 "example" #137: STATE_MAIN_I1: initiate
003 "example" #137: ignoring Vendor ID payload 
[00000000616d69654578697374730000]
003 "example" #137: received Vendor ID payload [XAUTH]
003 "example" #137: received Vendor ID payload [Dead Peer Detection]
104 "example" #137: STATE_MAIN_I2: sent MI2, expecting MR2
106 "example" #137: STATE_MAIN_I3: sent MI3, expecting MR3
003 "example" #137: next payload type of ISAKMP Hash Payload has an unknown 
value: 160
003 "example" #137: malformed payload in packet
003 "example" #137: discarding duplicate packet; already STATE_MAIN_I3
010 "example" #137: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "example" #137: next payload type of ISAKMP Hash Payload has an unknown 
value: 102
003 "example" #137: malformed payload in packet
003 "example" #137: discarding duplicate packet; already STATE_MAIN_I3
010 "example" #137: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "example" #137: next payload type of ISAKMP Hash Payload has an unknown 
value: 246
003 "example" #137: malformed payload in packet
031 "example" #137: max number of retransmissions (2) reached STATE_MAIN_I3.  
Possible authentication failure: no acceptable response to our first encrypted 
message
002 "example": terminating SAs using this connection


Please help. If I am missing anything.

-Anand

More information about the Users mailing list